Saturday, June 14, 2014

Beginning Memory Forensics – Getting the contents of RAM - DumpIT

Why would we want to do memory Forensics?

As I’ve said previously, in analyzing an intrusion or any signs that there may have been an intrusion, the more data we have the better. This data can be from the IDS/IPS, log sources, etc. One area we should not exclude is the memory of the device we are investigating. Using only the log sources and IDS alert, it is unlikely we will get a full picture of all the processes, listening and or established network connections, etc.

In this post we focus on getting the contents of a Windows 2003SP2 system using DumpIT. According to the description from the moonsols.com website "This utility is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines"

So without further ado, lets DumpIT. Using this tool is super easy, all you do is run the executable and it creates the image in the directory from which the executable was run. The file name is a combination of computer name, date and a final number of which I'm not sure what it is at this time. The extension of the file is ".raw" Eg. of the filename is "SECURITYNIK-SRV-20140613-015002.raw"As can be seen above, first we executed "dumpit".The second step in the process is to press "Y" or "N" if you would like to continue. Once you pressed "Y", the process runs and once completed successfully, you will see "Success"

That's it. Next post we will use Volatility to analyze the the memory.

Below is a list of threat intelligence websites that you can use. Cymon.io is an excellent one as it searches around 200 different sources. If you’re looking for a more exhaustive list of threat intel sites, check out https://github.com/rshipp/awesome-malware-analysis